I wrote a login script and it works, but I have to log in twice for it to work. any ideas?

$display_block .= "<form method=\"post\" action=\"$SELF_PHP\">
<p><b>Username:</b>
<input type=\"text\" name=\"username\" size=10>
<strong>Password:</strong>
<input type=\"password\" name=\"password\" size=10>
<input type=\"submit\" name=\"submit\" value=\"Login\"></p>
</form>
";


$sql = "SELECT * FROM $table_name WHERE username= \"$username\" AND password=password(\"$password\")";
$result=@mysql_query($sql, $connection) or die("Couldn't execute query.");
$num = mysql_numrows($result);
if($num != 0){
include("setcookie.php");
}

<html>
<body>
<? echo "$display_block"; ?>
</body>
</html>

[Edited on December 14, 2006 at 12:49 AM. Reason : ]

12/14/2006 12:47:00 AM

That's a janky-ass way of authenticating a password.

I doubt this is the case, but you really shouldn't use that for anything that actually requires security.

[Edited on December 14, 2006 at 1:06 AM. Reason : ]

12/14/2006 1:06:20 AM

I wasn't really concerned about security when I wrote it. I have it to log in so I can do some simple admin stuff, nothing that is important at all. But how would you suggest writing it? I'm just learning this stuff and would love some input/advice

12/14/2006 1:31:24 AM

can you just use apache's htaccess?

[Edited on December 14, 2006 at 1:42 AM. Reason : .]

12/14/2006 1:41:54 AM

well, I don't know about your problem but I'd hash the $username in the PHP before passing it to SQL to prevent someone from logging in as ";UPDATE table SET password=password("pwned");" or something



[Edited on December 14, 2006 at 8:12 AM. Reason : $password too, at that]

12/14/2006 8:10:41 AM